Veröffentlichungen

Software systems are playing an increasing role in our everyday life, and asthe amount of software applications grows, so does their complexity and therelevance of their computations. Software components can be found in manysystems that are charged with safety-critical tasks, such as control systemsfor aviation or power plants. Hence, software verification techniques that arecapable of proving the absence of critical errors are becoming more and moreimportant in the field software engineering.A well-established approach to software verification is model checking.Applying this technique involves an exhaustive exploration of a state spacemodel corresponding to the system under consideration. The major challengein model checking is the so-called state explosion problem: The state space of asoftware system grows exponentially with its size. Thus, the straightforwardmodelling of real-life systems practically impossible. A common approach tothis problem is the application of abstraction techniques, which reduce theoriginal state space by mapping it on a significantly smaller abstract one.Abstraction inherently involves a loss of information, and thus, the resultingabstract model may be too imprecise for a definite result in verification.Therefore, abstraction is typically combined with abstraction refinement: Aninitially very coarse abstract model is iteratively refined, i.e. enriched withnew details about the original system, until a level of abstraction is reachedthat is precise enough for a definite outcome. Abstraction refinement-basedmodel checking is fully automatable and it is considered as one of the mostpromising approaches to the state explosion problem in verification. However,it is still faced with a number of challenges. There exist several types ofabstraction techniques and not every type is equally well-suited for all kinds ofsystems and verification tasks. Moreover, the selection of adequate refinementsteps is nontrivial and typically the most crucial part of the overall approach:Unfavourable refinement decisions can compromise the state space-reducingeffect of abstraction, and as a consequence, can easily lead to the failureof verification. It is, however, hard to predict which refinement steps willeventually be expedient for verification – and which not. In this thesis, we approach the previously addressed challenges of abstractionrefinement-based model checking by focusing on one specific typeof software system: Concurrent systems are compositions of interleaved executedsoftware processes that communicate via shared variables or messagepassing, which makes their verification particularly difficult. However, thesesystems also reveal a high amount of structural information – in particular, thecommunication dependencies between processes – that we exploit for improvingabstraction and refinement. To this end, we introduce a comprehensiveverification framework for concurrent systems.Our approach to abstraction is based on a combination of predicate abstraction– a data abstraction technique that replaces concrete system variables bypredicates – and spotlight abstraction – a technique that abstracts away entireprocesses of a concurrent system. We thus tackle the two major causes of stateexplosion for concurrent systems. Another key feature of our approach is theuse of a three-valued abstract domain. Properties in our models can take thevalues true, false and unknown, which enables us to explicitly model the lossof information due to abstraction: All true and false results obtained via modelchecking can be transferred to the original system, only an unknown outcome necessitates abstraction refinement.For automatically refining the abstract models we follow the concept ofcounterexample-guided abstraction refinement (CEGAR). Counterexamples are’unknown’ error paths in the abstract model that typically hint at several possibleways to resolve the uncertainty via refinement. In our scenario, theserefinement steps can involve the addition of new predicates or new processes.However, not every potential refinement step is expedient, which makes theselection of an appropriate step an exceedingly difficult task. Therefore, weintroduce a variant of CEGAR enhanced by heuristic guidance: Based on aniterative abstraction dependence analysis the possible refinement steps areheuristically evaluated with regard to their benefit for the current verificationtask, and the best evaluated step is chosen for refinement. In two casestudies, we demonstrate that our heuristic approach can significantly improvethe performance of abstraction-refinement-based verification of concurrentsystems. Our developed verification framework primarily allows for reasoning aboutsafety and liveness properties of concurrent systems that are composed of afixed number of processes. However, we also introduce an extension that facilitatesthe verification of parameterised systems – compositions of an unboundednumber of homogeneous processes. Our extension is based on a combinationspotlight abstraction with symmetry reduction, a reduction technique thatexploits the homogeneity in parameterised systems.

Predicate abstraction is an established technique in software verification. It inherently includes an abstraction refinement loop successively adding predicates until the right level of abstraction is found. For concurrent systems, predicate abstraction can be combined with spotlight abstraction, further reducing the state space by abstracting away certain processes. Refinement then has to decide whether to add a new predicate or a new process. Selecting the right predicates and processes is a crucial task: The positive effect of abstraction may be compromised by unfavourable refinement decisions. Here we present a heuristic approach to abstraction refinement. The basis for a decision is a set of refinement candidates, derived by multiple counterexample-generation. Candidates are evaluated with respect to their influence on other components in the system. Experimental results show that our technique can significantly speed up verification as compared to a naive abstraction refinement.

Parameterised model checking is concerned with verifying properties ofarbitrary numbers of homogeneous processes composed in parallel. Theproblem is known to be undecidable in general. Nevertheless, a numberof approaches have developed verification techniques for certainclasses of parameterised systems. Here, we present an approach combining symmetry arguments with spotlightabstractions. The technique determines (the size of) a particular instantiation of the parameterised system from the given temporallogic formula, and feds this into an abstracting model checker. Thedegree of abstraction with respect to processes occurring during modelchecking determines whether the obtained result is also valid for all other instantiations. This enables us to prove safety as well as liveness properties (specified in full CTL) of parameterised systems on very small instantiations.